When CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) first came out I think we can all agree that it was a giant pain in the ass but some times it was comical.
About 9 years ago (who knew it was older than the original iPhone?), reCAPTCHA was released and got ride of the puzzle solving by simplifying the process to a check box.
Now, reCAPTCHA finally getting an “invisible” face lift. Check out the video by Google:
You can read more about it here. Don’t like marketecture? Check out the simplicity of adding this service to your site here. I am very pleased how easy it can be installed:
<html> <head> <title>reCAPTCHA demo: Simple page</title> <script src="https://www.google.com/recaptcha/api.js" async defer></script> <script> function onSubmit(token) { document.getElementById("demo-form").submit(); } </script> </head> <body> <form id='demo-form' action="?" method="POST"> <button class="g-recaptcha" data-sitekey="your_site_key" data-callback='onSubmit'>Submit</button> <br/> </form> </body> </html>
Like its predecessors, invisible reCAPTCHA will be a free service to help battle against bots and the bad guys. Which makes me think:
“If you are not paying for it, you’re not the customer; you’re the product being sold”–Andrew Lewis
Let us not forget, Google is an AD company first. While the “advanced security” touts an advanced risk engine and machine learning to distinguish bots from humans transparently, it will also check to see if the user is signed into his or her Google Account.
Think about it. For example, Google Flights has the ability to tell me when my next trip to PHX to LAS will be cheaper. How do they actually know that? Is the Google Bot allowed to crawl my prices? Or is Google crunching the stats on the back end via email or the embedded javascript?
Google invisible reCAPTCHA has the potential to be a serious contender in the anti-bot space however several things comes to mind:
- How do I allow the good bots into my site?
- Can invisible reCAPTCHA defend against headless bots such as phantom.js or selenium?
- At some point in the future (if not already), Google will maintain a blacklist of IPs once they’ve been flagged. How often will this be cleaned up?
- How do I whitelist my tools for scanning my application? (Rapid7, Qualys, Whitehat, etc)
- By embedding this javascript into my application, I get protection, but what PII data do I surrender?
- How do I troubleshoot false positives?
I believe that invisible reCAPTCHA will do a great job defending against bots but I do not think it is enterprise ready. Obvious functionality gaps from an operational perspective and the threat of my or my customer privacy being surrendered to an AD company will prohibit me from implementing this as an enterprise solution.
Regards,
BD